Security as Culture: A Systematic Literature Review of DevSecOps

Abstract

DevOps goes beyond automation, continuous integration and delivery processes, since it also encompasses people. In fact, DevOps promotes the collaboration between the development team and the operations team. When security comes into DevOps routines, people play an even more relevant role involving the collaboration between those teams and security team. Moreover, security is especially relevant while developing critical systems where we need to manage goals, risks and evidences. After implementing security into the DevOps toolchain, work only starts. We also need to start with behavioral changes in order to create a security culture. Several authors underlined DevSecOps, as one of the proposals for solving or, at least, minimizing this challenge. However, to date, the characterization of such a culture remains unclear. In this paper, a Systematic Literature Review was carried out to provide a better understanding of this topic from the human factor's perspective. However it raises the following question: Is DevSecOps going to become mainstream?